If you intend to use smart cards, for example, the template
needs to be associated with the specific CSP for that smart card. If you assign the wrong
CSP, the smart card will not work.
NOTE For better security, your certificates should not last forever. They should be set to expire so
you can renew the certificates when appropriate to decrease the chances of their being compromised.
You must balance the certificate life span so that it doesn??™t become an administrative burden, while
making the life span short enough to minimize the risk of compromise.
Templates also define key usage that restricts how a certificate can be used. For example,
you may not want certificates designed for signing data to be used for encryption
because you don??™t want to have your data encryption public key to be generally available
like your general purpose signing key.
When you install a CA, a number of default certificate templates are installed, as
shown in Table 12-1. Table 12-1 defines the most common certificate types your server
will need to handle.
Name Description Key Usage Subject
Administrator Sign and authenticate Signature and
Encryption
User
Authenticated
Session
Sign operations for
authenticating to a Web server
Signature User
Basic EFS Encrypt data on EFS Encryption User
CA Exchange Key storage for keys marked for
private key archival
Encryption Computer
CEP Encryption Ability for holder to act as
a registration authority for
certificate enrollment protocol
(CEP) requests
Encryption Computer
Code Signing Digitally sign code Signature User
Computer Authenticate computer to the
network
Signature and
Encryption
Computer
Table 12-1.
Pages:
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444